X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Ftls.c;h=a541a3c7a3210546aae49bc79435adb0e0623864;hb=c895de68398ece932fb371f527e24ce233f6ac7b;hp=1fd10d52b374000a425166f90804a88482076aea;hpb=01603eec64d42431f182b33008206facfc7f800e;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/tls.c b/src/src/tls.c index 1fd10d52b..a541a3c7a 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -19,6 +19,11 @@ functions from the OpenSSL or GNU TLS libraries. */ #include "exim.h" #include "transports/smtp.h" +#if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS) +# error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build +#endif + + #if defined(MACRO_PREDEF) && !defined(DISABLE_TLS) # include "macro_predef.h" # ifdef USE_GNUTLS @@ -48,7 +53,7 @@ We're moving away from this; GnuTLS is already using a state, which can switch, so we can do TLS callouts during ACLs. */ static const int ssl_xfer_buffer_size = 4096; -#ifndef USE_GNUTLS +#ifdef USE_OPENSSL static uschar *ssl_xfer_buffer = NULL; static int ssl_xfer_buffer_lwm = 0; static int ssl_xfer_buffer_hwm = 0; @@ -122,14 +127,14 @@ tzset(); #ifdef USE_GNUTLS # include "tls-gnu.c" # include "tlscert-gnu.c" - # define ssl_xfer_buffer (state_server.xfer_buffer) # define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm) # define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm) # define ssl_xfer_eof (state_server.xfer_eof) # define ssl_xfer_error (state_server.xfer_error) +#endif -#else +#ifdef USE_OPENSSL # include "tls-openssl.c" # include "tlscert-openssl.c" #endif @@ -226,7 +231,7 @@ modify_variable(US"tls_bits", &dest_tsp->bits); modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified); modify_variable(US"tls_cipher", &dest_tsp->cipher); modify_variable(US"tls_peerdn", &dest_tsp->peerdn); -#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS) +#ifdef USE_OPENSSL modify_variable(US"tls_sni", &dest_tsp->sni); #endif } @@ -364,6 +369,40 @@ else if ((subjdn = tls_cert_subject(cert, NULL))) } return FALSE; } + + +/* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment +and writes a file by that name. Our OpenSSL code does the same, using keying +info from the library API. +The GnuTLS support only works if exim is run by root, not taking advantage of +the setuid bit. +You can use either the external environment (modulo the keep_environment config) +or the add_environment config option for SSLKEYLOGFILE; the latter takes +precedence. + +If the path is absolute, require it starts with the spooldir; otherwise delete +the env variable. If relative, prefix the spooldir. +*/ +void +tls_clean_env(void) +{ +uschar * path = US getenv("SSLKEYLOGFILE"); +if (path) + if (!*path) + unsetenv("SSLKEYLOGFILE"); + else if (*path != '/') + { + DEBUG(D_tls) + debug_printf("prepending spooldir to env SSLKEYLOGFILE\n"); + setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1); + } + else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0) + { + DEBUG(D_tls) + debug_printf("removing env SSLKEYLOGFILE=%s: not under spooldir\n", path); + unsetenv("SSLKEYLOGFILE"); + } +} #endif /*!DISABLE_TLS*/ #endif /*!MACRO_PREDEF*/